Introducing Ligetron zkVM by Ligero

Ligetron by Ligero Inc. is redefining the boundaries of zero-knowledge technology with a cutting-edge ZK system that brings zkVM to any hardware. On our platform you can build a full-fledged zkApp directly from your browser and deploying it on any device—no tedious compiling, just seamless, end-to-end functionality. ZK Anywhere Everywhere!

We're on a mission to revolutionize Web3 with a plug-and-play solution for enabling privacy-focused applications for individuals and organizations. Our vision is bold:

• Empower service providers to choose from a dynamic mix of ZK-based identity proofs, including ZKemail, ZKTLS, ZKPassport, and W3C verifiable credentials. Whether it's proving an email address or showcasing verifiable credentials, users can demonstrate their identity through a tailored subset of options the provider chooses.

• Enable lightweight privacy solution powered by zkValidiums, offering a superior toolchain and advanced features tailored to modern needs.

A ZK Born in Cryptography

The Ligero Zero-Knowledge (ZK) proof system made its debut in 2017 as the first zkSNARK with no trusted setup. Since then, many scalable ZK solutions have gravitated toward STARKs—published in 2018 by the StarkWare team. Like Ligero, STARKs are hash-based proof systems; they build on the foundations of coding theory and computational complexity (for eg, see efficient Probabilistically Checkable Proofs (PCPs) pioneered by Ben-Sasson and Sudan). By contrast, Ligero traces its origins to the MPC-in-the-head paradigm introduced in the seminal work of Ishai, Kushilevitz, Ostrovsky and Sahai. Despite these different lineages, both STARKs and Ligero can be abstracted as Interactive Oracle Proof (IOP) systems that rely on Merkle trees and the Fiat-Shamir heuristic—rooted in the works of Killian and Micali—to compile down into zkSNARKs.

Benchmark results demonstrate that Ligero often achieves faster prover times than STARKs (see references here and here), thanks in part to its inherent parallelism. Meanwhile, STARKs typically yield smaller proofs that scale polylogarithmically with the computation size, whereas Ligero’s proof size grows proportionally to the square root of the computation size. In practice, many modern ZK architectures combine a faster, less succinct approach (e.g., STARKs) with a slower but more succinct scheme (e.g., Groth16), which can reduce the impact of these proof-size trade-offs in real-world deployments.

Memory-Efficiency and the Ligetron ZK system

Ligetron, introduced by Ligero showcases the first hash-based proof system that is memory efficient. Specifically, the prover requires no more memory than the what the underlying computation requires when executing natively. Getting memory efficient requires running through the entire computation each round (as the entire computation cannot be kept in memory). Ligetron can run from a browser with unlimited scalability, while every other ZKSNARK system typically cannot scale beyond a computation size of more than a few million constraints. Ligero involves 2-rounds of interaction while Starks and other hash-based systems like Brakedown require logarithmic rounds (that is compiled down applying the Fiat-Shamir heuristic). This matters significantly when reducing the hardware (specifically memory footprint of the prover) as the prover needs to generate the trace of the entire computation in each round.

The MPC-In-The-Head Paradigm

The MPC-in-the-head paradigm was introduced in 2009 by Ishai, Kushilevitz, Ostrovsky, and Sahai (IKOS). This breakthrough result established a novel connection between zero-knowledge (ZK) proof systems and secure multi-party computation (MPC). Compared to MPC, the ZK setting is highly specialized: there are only two parties, with the prover holding a private input, and the goal is to validate some relation securely. In contrast, general MPC involves any number of parties, each potentially holding private inputs, and enables computation of arbitrary functions. While it was well known that general-purpose MPC protocols implies ZK proofs (since ZK proofs can be viewed as a specific instance of MPC), the IKOS paradigm showed how to design ZK proofs based on MPC protocols that could leverage the efficiency of the underlying MPC protocols even beyond general-purpose protocols (eg, MPC in the honest-majority setting). By bridging these scenarios, IKOS provided a groundbreaking perspective that reshaped the design of efficient ZK-proof systems.

Prior to IKOS, all ZK constructions either applied to a concrete statement or required heavy transformation into a subclass of considerably harder statements (also known as NP-complete reductions). Instead of applying this transformation, IKOS suggested directly applying an MPC protocol on the circuit, validating the statement, and thus pushing the overhead induced by the above transformation into an alternative circuit representation.

In more detail, the IKOS paradigm has the prover locally simulate an MPC protocol, generating a transcript of the messages exchanged between virtual parties and committing to it as the first message to the verifier. These messages can be viewed as the proof oracle in the IOP framework. To ensure soundness, the verifier challenges the prover to open a subset of the messages for consistency checks. This method's strength lies in its flexibility, as different MPC protocols can be instantiated to achieve various complexity tradeoffs. In 2016, ZKBoo by Giacomelli et al. demonstrated the practicality of MPC-in-the-head by analyzing concrete parameters and refining the modularity and security requirements of the underlying MPC. However, this analysis was limited to a specific class of MPC protocols where the transcript scaled linearly with the circuit size. Even with the improvements in ZB++ by Chase et al. (2017), the proof sizes remained linear due to reliance on a limited class of virtual MPC protocols, which constrained the consistency checks to a small number of parties. 

Ligero addressed these limitations by leveraging a different instantiation of an MPC protocol by Damgård and Ishai that maintained security against stronger adversaries. This innovation enabled a sublinear proof system, organizing the parties' messages via Packed Secret Sharing. Ligero's key innovation was the instantiation of an MPC protocol with sublinear transcripts (an optimized version of the Damgård-Ishai MPC protocol). This advancement required a new security analysis to address adaptive corruptions, ensuring the prover could not coordinate the corrupted parties in the virtual protocol with the verifier's challenge.